Snort mailing list archives
Re: Writing a rule to trigger on a spoofed mac address
From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Tue, 20 Oct 2009 12:21:15 -0500
although the MAC addrs get saved into the snort internal data format, nothing in the detection engine makes those values usable by a detection rule. Not that it couldn't be written, just that nothing exists at this time.
From: Dawson,Scottie [mailto:scottie.Dawson () ColoState EDU] Sent: Tuesday, October 20, 2009 9:18 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Writing a rule to trigger on a spoofed mac address Snort folks I have gotten some alerts recently on traffic triggered by "Emerging Threats Trojan Bot - potential reptile commands". When we looked at the PCAP file we saw that the mac address on both ends of the conversation was spoofed 11:22:33:44:55:66 and de:ad:ca:fe:ba:be. I am wondering if it's possible to write a rule that triggers on either one of those mac address's? I was reading in the snort manual and I see potential reasons why this is not possible such as the protocols portion of the alert (page 92). If it is possible could you guys point me in the right direction?
-- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Writing a rule to trigger on a spoofed mac address Dawson,Scottie (Oct 20)
- Re: Writing a rule to trigger on a spoofed mac address Jefferson, Shawn (Oct 20)
- Re: Writing a rule to trigger on a spoofed mac address Jack Pepper (Oct 20)
- Re: Writing a rule to trigger on a spoofed mac address Adam Richards (Oct 20)
- Re: Writing a rule to trigger on a spoofed mac address Dawson,Scottie (Oct 20)
- Re: Writing a rule to trigger on a spoofed mac address Jefferson, Shawn (Oct 20)